Posted
by
timothy
on Saturday December 03, 2011 @05:40PM
from the hey-it-was-free-why-are-you-griping dept.

alphadogg writes "A Cornell University professor is calling the controversial Carrier IQ smartphone software revelations a privacy disaster. 'This is my worst nightmare,' says Stephen Wicker, a professor of electrical and computer engineering at Cornell. 'As a professor who studies electronic security, this is everything that I have been working against for the last 10 years. It is an utterly appalling invasion of privacy with immense potential for manipulation and privacy theft that requires immediate federal intervention.'" Read on for a grab-bag of other news about the ongoing story of Carrier IQ's spyware.

Franken has more reason, apparently, to look into this than might legislators in other countries; an anonymous reader submits news that Cambridge researchers have found the software to be confined to (or at least only confirmed in) American customers' phones. From their report: "We performed an analysis on our dataset of 5572 Android smartphones that volunteers from all over the world helped us create. From those 5572 devices, only 21 were found to be running the software, all of them in the US and Puerto Rico. The affected carriers we observed were AT&T, Boost Mobile and Sprint.We found no evidence of the Carrier IQ software running on Android devices in any other country."

Another anonymous reader suggests that "Apart from anything else, the fundamental mistake that Carrier IQ made was attempting to silence a developer using a heavy-handed legal threat. Certainly this was the tipping point in terms of bring the whole incident to the public's attention."

Like apparently begets like; reader adeelarshad82 writes "Not surprisingly, the Carrier IQ controversy has resulted in some legal action. Class-action lawsuits have been filed in California and Missouri that accuse Carrier IQ, as well as Samsung and HTC, of violating federal wiretap laws. The California case was filed on behalf of four smartphone users with HTC and Samsung devices and accuses the companies of violating the Federal Wiretap Act, which prohibits the unauthorized interception or illegal use of electronic communications, and California's Unfair Business Practice Act."

Finally, GMGruman writes with the cautionary note that Carrier IQ and Facebook pose "the least of your privacy threats": "[S]o far these forms of monitoring anonymize the data, so an individual's actual privacy is not invaded. And while people fret over these potential invasions, a more pernicious privacy invasion is under way, one that monitors actual individuals and then uses that information to try to direct their behavior. For example, car insurers give monitoring boxes to customers to track their driving behavior and offer a discount if it is 'good.' Of course, the flip side is higher rates or no coverage if the black box decides you are "bad." And, as this blog post points out, this is just one of many such 'Big Brother corporation' efforts out there that give significant power to insurers and others who have a history of abusing personal information, such as for redlining and coverage denial."

Isn't it interesting that the only OS that sent the info out by default was Android? iPhone didn't. While they were there too, Carrier IQ was disabled by default.

And after all, Carrier IQ was just Google Analytics to mobiles. I can just hope that people start the same kind of uproar once they realize how much Google is spying them. If it's not allowed on mobiles, I don't see why it should be allowed on our computers and internet. Maybe there's still some hope in humankind.

the story "Usually coupled with a lot of FUD" has been circling the facebooks, g+s and reddits for about a week(?) now.Mass media have also gotten attention to it, I saw it on the news yesterday on a b side channel..

What I still can't fathom is why apple was shipping it "disabled" by default.... misplaced bits?

Apple has already released what they used to use it for (it was removed in iOS5 except for a few stray bits that no longer function which are to be removed in future updates). It was used to collect anonymous usage data, but only if the user opted to turn on the Diagnostic usage. It was set up that way on purpose.

"The device ends up storing about 200 kilobytes of data," he says. "That's typical upload size. When it gets to the point that it's full, it'll do an upload or it'll drop data and start wrapping and store summary information." (Customers aren't charged for the upload, and it's disabled when the phone is roaming.)"
How Carrier IQ was wrongly accused of keylogging [cnet.com]

I didn't say I believed them but... First of all, the thing that was demonstrated is that CIQ spits out debugging messages containing key strokes. Who's to say that this isn't just an echo of an unimplemented feature. Nobody has shown a remotely convincing proof that this information is stored. Keylogger stores keystrokes.

The customer is paying. Minimally you could assume this will only send out info when you have a data connection established. The payload is too large to make use of the signalling system (which is often saturated with SMS as it is) so it's either carrier data or wifi.

Nice troll, but the vanilla Android devices (Nexus line) don't ship with the CarrierIQ software, which means that either the handset manufacturers or, much more likely given the US-centric focus, the carriers are responsible for installing it.

the vanilla Android devices (Nexus line) don't ship with the CarrierIQ software, which means that either the handset manufacturers or, much more likely given the US-centric focus, the carriers are responsible for installing it.

...Which is a very good point. Google gives not only end users but also manufacturers and carriers relatively free reign over Android phones. Apple retains much more control over the iPhone.

While it's easy to see how Apple's strategy can hurt power users, Google's strategy can hurt users also.

Freedom can hurt people, yes. Freedom also lets you install vanilla android (or a community flavor, or whatever). The only problem with that might be some kind of warranty violation--but again, that is an evil of the manufacturer or carrier. Not Google.

AT&T can still violate the privacy of your iPhone. So can Apple. Google _cannot_ because (theoretically) you could check for and remove such violations. Is that done? Well, maybe or maybe not. But that's still better than Apple where it's impossible.

the vanilla Android devices (Nexus line) don't ship with the CarrierIQ software, which means that either the handset manufacturers or, much more likely given the US-centric focus, the carriers are responsible for installing it.

...Which is a very good point. Google gives not only end users but also manufacturers and carriers relatively free reign over Android phones. Apple retains much more control over the iPhone.

While it's easy to see how Apple's strategy can hurt power users, Google's strategy can hurt users also.

Between iOS and Android, you're just trading one bucket of problems for another. Siri will find you a dentist if you tell it you broke a tooth and point you to the nearest escort agency if you're looking for one, but it won't help you if you need to renew your birth control prescription refilled. If you tell it you've been raped, it blithely replies, "Really!"

Apple and Wolfram Alpha can say what they like about the service's beta status; the likeliest reason for this is that they didn't want to touch one aspect of societal behaviour because it might upset parents and affect sales to teens.

Google errs on the other side, empowering handset providers, allowing them to indulge their baser instincts when it comes to how they view customers on their networks. For telcos, the customer is the commodity.

In both cases, corporate entities feel entitled to decide what we are allowed to know about them and what they are allowed to know about us. The contrast between the two couldn't be stronger.

The only way to square this circle is to remove the dichotomy altogether. Paradoxically, the only way we can be sure that others aren't abusing our private data is through transparency, which requires less, not more, privacy. In the end, the best we can hope for is a kind of neo-Victorianism, in which we are more willing to accept polite behaviour at face value and overlook all but the more egregious failings. Ultimately, we will have to learn to accept that we are all no better than we should be.

I have no faith whatsoever that American society will be able to accomplish this. The Protestant ethic of probity and respect has long since been extinguished in favour of a mix of fundamentalist, moralistic witch-hunts and ugly prurience.

Paradoxically, the only way we can be sure that others aren't abusing our private data is through transparency, which requires less, not more, privacy.

You've got it mixed up. The "transparency" is for the corporations and government who exist because we as a society allow them to. Corporations exist because governments allow them to exist and governments exist because we allow them to.

People get privacy. Every level of organization above the family gets transparency. Let me say it again: Privacy is for human beings. Transparency is for organizational entities that are not human.

If you breathe, you get privacy. If you exist because of a piece of paper, such as a corporation or government, you get transparency. That's the way it's supposed to work. When we start to assign metaphysical meaning to these paper entities, via fallacies such as patriotism and the "free market" then we get into all sorts of trouble. We think we can't expect transparency from our government because "we're patriotic and our government can do no wrong". We say we can't expect transparency from corporations because "corporations are persons and they have the rights of persons". We can see how quickly such notions can totally fuck things up.

We have heard a lot from the tea party saying "government needs to fear the people" and just because it's nothing more than a slogan to them doesn't mean they're not right. Just the same, corporations need to fear the people, maybe even more than governments because of the special benefits they have been given by society. I say, it's best to make sure we understand that both governments and corporations only exist to the extent that we allow and we have every right to demand transparency from both. Of course, people who would misuse the special benefits we have given them hate the notion of transparency and hate the notion that governments and corporations are ultimately answerable to the people (and not just people as consumers, by the way). That's why you're seeing the wildly over-the-top response to the anti-corporate message of Occupy Wall Street. Because if people figure out that we don't have to allow corporations to fuck with our lives then all hell could break lose and some very wealthy and powerful people might be made very uncomfortable.

I don't know where you got the idea that transparency requires less privacy for people, but it's a very dangerous and very wrong notion. You really need to re-think this.

Nice troll, but the vanilla Android devices (Nexus line) don't ship with the CarrierIQ software, which means that either the handset manufacturers or, much more likely given the US-centric focus, the carriers are responsible for installing it.

By "responsible" you need to mean that the carriers asked the manufacturer to install, enable and configure (to a carrier defined list of settings) Carrier IQ on a device and that the manufacturer agreed to do so.

There is a quote or comment somewhere (cant find it) from someone who said something like "I work/worked for an android OEM and AT&T basically said 'install CarrierIQ or we wont sell the product'". I may have gotten the details wrong because I cant find or remember the exact quote/comment but the gist of it is that its the carriers that are insisting on this and the handset makers have no choice but to comply.

I'd say Android provides more freedom for the user and developer than the iPhone or any of the other default phone operating systems (not sure about Windows phones). You can add non-market software to them without jailbreaking them. You can't do that with the iPhone or (last I heard) a Blackberry.

Any of them are going to come with crap the manufacturer wants on there, and likely prevents you from uninstalling it as best they can. The carriers are worse,

What you don't get is the ability to to put any software you want on other people's phones by letting them download your application from your web site, you have to go through iTunes for that, and doing that requires Apple to approve your application. But when we get to that point, we've stopped talking about developer freedom and started talking about entrepreneurial freedom, which is something completely different.

PS: iPhones don't come with carrier crap installed; that's one of the reasons Apple didn't initially partner with Verizon; the other two reasons were the Qualcomm patent tax on CDMA hardware, and Verizon not wanting to set up a Visual Voice Mail service that met Apple's requirements.

PPS: All of the projects for running Linux on phones are only going to get somewhere if they break signature verification in the boot loaders, and the baseband software runs on a separate chip, rather than on the same chip as applications. That lets out a lot of smartphones (e.g. anything running a Qualcomm Snapdragon CPU). If they try to go ahead on those phones anyway, men in suits will show up citing the Code of Federal Regulations, 47, Section 2.944 covering Software Defined Radio.

If you're allowed to develop, but not distribute, then your freedom as a developer has been compromised. Consider the various free applications available from the Cedega app installer - there's no entrepreneurial angle there.

Concerning the PS, yes, you're right. Apple is likely the one exception, since they're really the only ones who can get away with it.

If you're allowed to develop, but not distribute, then your freedom as a developer has been compromised. Consider the various free applications available from the Cedega app installer - there's no entrepreneurial angle there.

There would be nothing from stopping you distributing your code for an iOS app. In order for your "users" to install it though, they would need to pay the $99 fee for a developer license or be jailbroken. Your right as a developer to distribute software is still there, not very conveniently though but there none the less.

If you're allowed to develop, but not distribute, then your freedom as a developer has been compromised. Consider the various free applications available from the Cedega app installer - there's no entrepreneurial angle there.

There would be nothing from stopping you distributing your code for an iOS app. In order for your "users" to install it though, they would need to pay the $99 fee for a developer license or be jailbroken. Your right as a developer to distribute software is still there, not very conveniently though but there none the less.

Not really, at least not in any meaningful sense. Just like how copyright law allows you to make duplicates of copyrighted material for personal use... but denies you the right to acquire the tools needed to do that in most cases. A right that you have but do not have the power to exercise is not a right but is, in the end, a privilege. On that may be revoked at any time.

The carriers are worse, so if you bought a phone with a carrier bundle, you've got all kinds of crap on there you likely don't want. The base OS of the phone doesn't really matter - Android, iOS, BlackberryOS etc. all have crap added to them that you'd probably rather not have.

Would you clarify what AT&T added to my iPhone that I'd rather not have?

That might be so, but it doesn't change the fact that it's only Android devices where it's enabled by default.

That's probably because the carriers are not able to enable it in iOS. So Apple - the only manufacturer of iOS devices - doesn't want it enabled in their phone, and the carriers are not able to do this. Android is more open, so either the phone manufacturers like Samsung and HTC can install it, or the carriers. So it's true, but it's only true because of the open nature of Android.

But as other have pointed out, the article says it's the carriers who have installed it on the Android phones, along with the "enhanced" shells and crap that insist on.

But Apple doesn't allow the carriers to do that, so guess who installed Carrier IQ on your phone, regardless as to whether it's enabled by default or not.That is to say, it's not enabled in THIS version of iOS. But of course Apple can enable it in the next update if they choose. After all, they didn't tell you it was on your phone in the firs

Yes, but if our only choice was IOS-like phones, we probably would not know about it yet. Then it would be sitting there waiting to be activated at some point. The fact that it was on the Iphones suggests that Apple would have turned it on at some point (not that Apple should be condemned, just that one should not get too comfortable with the fact that they had it turned off by default at this time).

Isn't it interesting that the only OS that has Carrier IQ on every single device, supplied by the OS developer, is iOS?

See, it works both ways. Now how about we stop turning this into a retarded smartphone manufacturer fanboy flamewar and throw stones at Carrier IQ and the carriers that support them, which is where they belong?

As a Linux fan through and through for fourteen years and counting I am endlessly surprised at the android circle jerk. Linux's customers are smart people who choose to use Linux, and linux distro providers work to supply them with what they want. Apple's customers are (probably also) smart people who don't want to care how a computer works (for good or bad) or customers with money to burn. Still, apple work to give them what they want . Microsoft's customers are people who want to get a job done with stand

As a 'Linux fan', you should know that not everything provided in your install was provided by the manufacturer, or was part of 'Linux'. Neither is CarrierIQ in any way part of Android. It is a separate piece of software, installed on some Android based phones by the carrier. It does not send data to Google, and there is even some debate on whether it sends anything, or merely logs it. Google is not benefitting from this data, nor can they sell it to others, since it isn't data they collected, or even knew about. It also, I might add, is installed on every iPhone from AT&T. It is likely still logging, but only sends the data back to CIQ if you allow it (which on older iPhones, is when you activate it. there seems to be no way to turn it off after that).

There is a big, BIG difference between CIQ and Google Analytics. Google Analytics tracks your browsing behavior, which is on the open web, and is being done in public. While it is certainly creepy that your web browsing behavior is being tracked, you are still doing all of that in public, where you have no expectation of privacy. CIQ, on the other hand, is a keylogger. It can track private communications that you are intending to send out encrypted before you even send them. This is a whole different ball of wax, and is considered to be criminal behavior in almost all cases in the PC world. Comparing Google Analytics to CIQ is like comparing a case of the common cold to ebola, there are certainly similarities, but one is VERY different in terms of degree.

Um, there was a video which showed how keystrokes are logged to a file as they are being entered. It's still an open question whether said log file is transmitted anywhere after it has been logged - and the linked article seems to say that it's not - but why log it, then?

So on the one hand we have a security researcher being quoted in the news and we are going on his word that he disassembled the software and found no evidence that it was capturing keystrokes. His credentials are that he discovered vulnerabilities in Linux.

On the other hand we have a video of an active android developer who originally found the CarrierIQ software showing via the Android debugger that when he presses a key on his Android device that key gets passed to and processed by Carrier IQ's running process, even though the key in question is a softkey used by a different application (the numbers on the phone dialler for instance which no app should have any business reading).

Sorry but so far I'm sceptical about the CNN article. Maybe someone can debunk exactly what's going on in the video which was posted then the CNN article and the security researcher's claims would be more valid. They have the burden of proof at this point.

What you type into the URL bar is not public -- but where you go when you hit enter is. It has to be. That is the way the web works. When you travel around you are broadcasting your IP as you connect to different servers around the globe. The servers that you connect to are under no obligation to hide the fact that you have been in there. Think of the Internet as a big city (a city where you really, really want to stay away from the red-light district); as you walk around you are essentially anonymous due to the mass of people, but in reality everything you are doing is in the open. If you walk into a store and buy something, the store is not violating your privacy by acknowledging that you were there. If this were not the case, society wouldn't work. The Internet is the same thing; it is essentially anonymous due to the overwhelming amount of traffic, but at the end of the day, everything you are doing is public.

Encrypted data, however, is a different thing entirely. Encrypted data is more akin to carrying a letter around this city in a sealed envelope. There IS an expectation of privacy as to the contents of that letter; you put it in an envelope so that the guy sitting next to you on the train can't read it. Now, I know that Google does analyze the content of encrypted emails, but you are using their service, so this should again be expected. If I were to write something on paper while sitting in a Google office, I would have a very different expectation of privacy; it should be expected that they are able to monitor what happens on their own service (or building, in this analogy).

CIQ, however, effectively breaks all of our expectations of privacy. In this analogy, even if you locked yourself in your bedroom, made sure nobody was around, wrote the letter, and then sealed it in a light-proof envelope, CIQ would still know what you wrote on that letter. They would know because THEY WATCHED YOU WRITING IT. While you were writing that letter and taking all the proper measures to keep it private, they had a camera over your shoulder watching as your pen scribbled across the page. It was never disclosed to you that this camera was here. Now, they are defending themselves by saying that we cannot prove that the camera was actually transmitting the data back home, but we know for a fact that it was there and it was recording data. This is why a keylogger is a whole new level of privacy violation; it violates the sanctity of the physical device you are working on. This is what makes it orders of magnitude worse than anything in Marc Zuckerberg's wildest dreams. This is also why keyloggers are almost universally criminal. To compare it to Google Analytics belies a fundamental misunderstanding of the tech at hand. There is a relevant exchange in Pulp Fiction:

Vincent: I didn't say it's the same thing, I said it's the same ballpark.
Jules; Ain't no fuckin' ballpark neither! It ain't the same fuckin' league, it ain't even the same fuckin' sport!

While these characters were talking about something different, the same principle applies. Not only are Google Analytics not the same ball park, they ain't even the same fuckin' sport. The difference in magnitude is astonishing, and making such ill-fitting comparisons only diminishes the affront to decency that this software poses.

Wrong yourself, or at least misleading - The carrier IQ that Apple ships with does not record anything at all by default, and even if you could figure out how to enable it records only a tiny bit of data, no keystrokes or SMS for example...

Nor do they obfuscate anything (unless you call shipping with it off a form of obfuscation).

I have never been so happy as to have a shit-stirrer of Al Franken's quality in our government. I think we need more cynical comedians in politics, just because they have some of the most eloquent BS detectors in the world. Murray/Akroyd 2012!

I have never been so happy as to have a shit-stirrer of Al Franken's quality in our government. I think we need more cynical comedians in politics, just because they have some of the most eloquent BS detectors in the world. Murray/Akroyd 2012!

And I think the answer to that will be, it was the carriers that decided what functions to enable. And the carriers were exempted from all electronic spying restrictions by the FISA extension of 2008 (aka absolve AT&T bill).

And I think the answer to that will be, it was the carriers that decided what functions to enable. And the carriers were exempted from all electronic spying restrictions by the FISA extension of 2008 (aka absolve AT&T bill).

My understanding is that the information flows directly back to Carrier IQ.And that would be why they're fucked.

As I'm sure you know: Without complete corresponding source code to all of the software running on a phone, you'll never know the answer to those questions.

RMS knew the solution to this problem before the problem became widespread (as he often does) and he got the solution right early on: this is a social problem, not a technological problem. The solution is software freedom for all computer users for all the software they run.

Sadly, the Carrier IQ debacle is unlikely to propel people to see this solution. The problem is too weak in its urgency because Carrier IQ's (or any other workalike) privacy violations are merely annoying or scary. Privacy violations usually don't kill or maim anyone. Also, the affected audience has low market value: the general public. When proprietary software used in internal medical devices fails and kills someone, there will be another opportunity to talk of software freedom as a social solution to be taken seriously. And, for a time, people will be more receptive to the idea that all computer users deserve software freedom. People seem to have no problem hiring professionals in other fields they don't understand (plumbers, doctors, lawyers, mechanics, builders) so it's not far-fetched to expect the public to hire computer programmers to inspect and modify programs on their behalf.

As I'm sure you know: Without complete corresponding source code to all of the software running on a phone, you'll never know the answer to those questions.

It's worse than that.... even with complete source code you won't know the answer, because (a) you're not smart enough and/or you don't have enough time to analyze the thousands of pages of source code of all the software you run, and (b) even if you did, you have no way to guarantee that the source code you analyzed is the same as what is actually running on the phone, and (c) even if you had a way to guarantee that, you have no way to guarantee that there isn't other software running on the phone that you

So it really boils down to trust -- at some point you have to either trust your cell phone provider not to screw you, or stop using a cell phone

I don't see it that way. I have complete faith that my mobile provider will try to screw me, just like my ISP. A phone is just like any other equipment you connect to the Internet - you just consider networks that you do not control as hostile and go from there.

Access to source isn't necessarily a red herring, although you are right the bigger issue is trust. But source opens up markets for trust.

If you/someone you trust had access to the source of all the software on your phone/device you could use trusted services that compare your phone's software (binaries) to a trusted compile. (Trusted binaries could be provided by proprietary software creators, but I'd rather not trust the software creators and have it independently compiled by a company whose business is s

To go with an unfortunately appropriate analogy, CIQ is just a street-level heavy. Three of the largest telcomm corporations in the United States are Al Capone. The latter party is almost certainly the driving force behind the former party's crimes; but he's virtually untouchable and isn't exactly going to get his hands dirty to keep a lacky from getting thrown under the bus.

The carriers, while they almost certainly are up to their eyeballs in slime, have zillion-page 'contracts' with the people they are screwing, massive lobbying expertise, and quite possibly de facto or even de jure legal impunity when it comes to a little of the old wiretapping(just look at the, er, unimpressive consequences when their collaboration with the NSA was revealed...) CIQ, by contrast, is just a little coder shop somewhere, 6 years of history, not even the flimsiest of contracts with any phone users, and no obvious friends. Everybody who isn't their customers certainly has no reason not to want them gone, and even their customers would almost certainly rather switch spyware vendors(they've got plenty of options) than endure the PR hit of defending their present vendor...

Much as I'd love to watch CIQ's operations burned down with those responsible locked inside, I suspect that the focus on CIQ will drown out the (far more dire) fact that contemporary communications technology is running headlong into the dystopian future, and the world is crawling with upmarket spyware vendors who provide very similar products and services worldwide. CIQ was unlucky enough to land in hot water

Just a little while back, Etisalat was trojaning its blackberry customers [blackberry.com] with (poorly made) spyware from the wonderful people at SS8 [ss8.com]. Guess who suffered no consequences whatsoever and is still merrily peddling "Lawful intercept solutions"?

Let's assume that the carriers put a clause in their agreements that authorizes them to collect and analyze all data. What happens if all carriers do this with all phones? If the only option is to not carry a phone, is there really an option?

That's why this needs to end up with a law that requires carriers to provide a real opt-out.

"Opt-out" is basically CYA bullshit. The notion that what amounts to 'consent through cluelessness' could possibly be valid makes a mockery of the idea of a contract. There's a reason why "opt-out" is so popular with various sorts of scumbags trying to avoid real control over their abuse of 'consumers'...

Were I a lawyer, I'd be looking at fraud...messages sent to and from people's phones without their authorization, silently jacking up people's phone bills (not everyone has unlimited data/messaging/talk). And were I Congress, I'd consider it under my jurisdiction because of their favorite clause in the constitution, the interstate commerce clause...someone is going to buy something, even if it's a ringtone, on one of those phones, and chances are the ringtone company is out of state, ergo it's interstate co

After all, your carrier already knows what numbers you are communicating with, how often, for how long, and when. They know the text of the messages you send, as well. The only difference is now there is a company who you are not directly paying who is also watching what you're up to. I'm not saying I approve of it, but it really isn't that big of a change form my perspective. If your carrier just sold your calling records to someone, would it be this much of an issue?

Ultimately, any carrier that doesn't already have this kind of detailed information on every one of their customers is at the least irresponsible and more likely idiotic - and even more likely soon out of business. Even for the "unlimited" plans out there, it is still worthwhile for the companies to watch what is going on in order to properly position themselves for future changes in consumer and business phone use.

While this is true, the part I find most disturbing about CarrierIQ is its capture of HTTPS request details and traffic over Wifi, neither of which would be available to the carrier otherwise. Yes, meta data related to calls are logged... carriers are in fact required to do so for a number of reasons (billing, mediation, audits, and servicing subpoenas, etc.) However, I do not subscribe to a data plan and any traffic I send over a Wifi connection should be between me, the Wifi router, and the remote machines I am connected to, particularly when using "secure" protocols like HTTPS.

Yes, they may have violated wiretapping law but I bet no one goes to jail and if there is a fine, it doesn't dent their profits. But these guys not only are above the law. They write it. There is a HBO Documentary called Hot Coffee I recommend. You remember the McDonald's coffee case? An old lady who bought a cup of coffee, recklessly drove off with it between her legs suing for $2M?

Turns out there is a whole other side to these stories. In her case the coffee really was too hot (scalding temperature), a

IMO people who demonize CIQ are missing the target. You should demonize the companies who employed CIQ technology to spy on their customers.

The only thing CIQ is guilty of is being a for-profit company in a capitalist society. Where there is demand (AT&T, HTC, Samsung, Motorola) there will be supply (CIQ). Just like the spam issue.

If you don't existinguish the demand by penalizing CIQ's customers, perhaps through legislature, CIQ 2.0 will be incorporated in no time and you better believe the next root kit will be a lot harder to detect.

True, but you can install any app you want on a BlackBerry, including ones that allow users to use their own keys. You can even get BES for free and run your own mailserver with your own keys. I realize RIM has fallen behind in many areas, but I have to say I am quite disappointed that practically none of the major tech blogs has discussed the fact that Carrier IQ is not only not installed on BlackBerry devices, but it is a violation of RIM agreements for a carrier to install this app on a phone. From RIM support forum: [blackberry.com]

RIM can attest that it does not pre-install the CarrierIQ application on BlackBerry smartphones and has never done so. Furthermore, RIM does not authorize its carrier partners to install the CarrierIQ application on BlackBerry smartphones before sales or distribution and has never done so. RIM also did not develop or commission the development of the CarrierIQ application, nor is RIM involved in any way in the testing, promotion, or distribution of the CarrierIQ application.

" "RIM does not pre-install the CarrierIQ app on BlackBerry smartphones or authorize its carrier partners to install the CarrierIQ app before sales or distribution," the company said in a statement. "RIM also did not develop or commission the development of the CarrierIQ application, and has no involvement in the testing, promotion, or distribution of the app," the statement said"

I know that that statement makes me fully confident... "CIQ is not installed on Blackberry smartphones." is short, punchy, and

They stated even more than what you stated: they stated that not only is it not installed on the phones, but it isn't authorized to be installed by carrier partners. How is that not a stronger statement? Then they continued on to state that they have never had anything to do with Carrier IQ. I don't understand how you infer otherwise.

Again, I will request that you directly point out the weakness in their statement to disprove your apparent lack of reading comprehension.

The BlackBerry platform allows anyone to install any app they want on their phones, and BES admins can also install anything they want. If RIM were to state "Carrier IQ is not installed on BlackBerry smartphones," they would probably be wrong. So the only thing they can state is that they do not install the software; they do not authorize their carrier partners to insta

A BES admin could install Carrier IQ on a phone without the user's knowing, so it is not possible for RIM to state "Carrier IQ is not installed on BlackBerries" because they are not in control of every BlackBerry.

Nope! [pcmag.com] "T-Mobile utilizes the Carrier IQ diagnostic tool to troubleshoot device and network performance with the goal of enhancing network reliability and our customers' experience. T-Mobile does not use this diagnostic tool to obtain the content of text, email or voice messages, or the specific destinations of a customers' Internet activity, nor is the tool used for marketing purposes."

Verizon, C Spire, MetroPCS, and US Cellular are the only US carriers currently denying Carrier IQ is used on their systems.

Why would the government purchase Carrier IQ's software or services? As it stands, there would appear to be absolutely no effective barriers to their just getting the data from the carrier who installed it...

I would immediately moderate that comment up if I had mod points today. That gibberish deserves to score (+5, insightful) for sure. Way better than the goatse or GNAA stuff that is usually posted anonymously here.

Is some CIA agent in Tangiers using Slashdot as a communication outpost

Admittedly, that wouldn't be that bad of an idea, since nobody reads Slashdot any more any ways.

To test, I think you'd have to set up your own cell, as this doesn't use the wifi network. People with their own personal cell tower to test with probably work for or with the carriers, and so are under NDA WRT the whole thing. About the only thing that could be done is a custom android build with this installed that would spit out the data before it was handed over to the radio. As the carriers have already stated that they use it to monitor QoS, there are likely trigger conditions that will cause the d

To test, I think you'd have to set up your own cell, as this doesn't use the wifi network. People with their own personal cell tower to test with probably work for or with the carriers, and so are under NDA WRT the whole thing.

Such a thing is called a microcell and can be purchased by the public.